IN THE CLAIMS : 

Please cancel claims 1-90 and add the following new claims 91-129. 
1-90. (Canceled) 

91 . (New) A computer-readable medium having stored thereon a control access data 
structure for defining an access right to an operation of one or more objects within a 
computing environment, the control access data structure comprising: 

an identification field for storing a unique identifier of the control access data 
structure; 

one or more object identification fields for associating the control access data 
structure with the one or more objects of the computing environment; and 

wherein the control access data structure corresponds to an access control entry 
of the one or more objects, and wherein the access control entry associates the access 
right with a trusted user of the computing environment. 

92. (New) The computer-readable medium of claim 91 , wherein an individual object 
identification field of the control access data structure stores a unique identifier of an 
associated object. 

93. (New) The computer-readable medium of claim 91 having further stored thereon 
one or more access control entries (ACE's), wherein each ACE includes a rights field for 
associating the control access data structure with one of the one or more objects. 

94. (New) The computer-readable medium of claim 93, wherein the rights field of 
each ACE stores the unique identifier of the control access data structure. 



95. (New) The computer-readable medium of claim 93, wherein each ACE further 
includes a trusted user field for associating an ACE with the trusted user of the 
computing environment. 

96. (New) The computer-readable medium of claim 95, wherein the trusted user field 
of each ACE stores a unique identifier of the trusted user. 

97. (New) A computer program for controlling user requested operations on an 
object in a computing environment having a set of predefined access rights, the 
computer program being stored on a machine readable medium and comprising: 

means for defining an access right component that defines a permission 
corresponding to a desired operation of the object; 

means for associating the access right component with the object; 

means for associating the access right component with an access control entry 
corresponding to the object; and 

means for associating the access right component with a user in order to grant 
the desired operation. 

98. (New) The computer program of claim 97, further comprising an administrative 
tool for controlling the defining means. 
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99. (New) The computer program of claim 97, further comprising an interface for 
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allowing a user application to programmatically control the defining means. 
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100. (New) The computer program of claim 97, wherein the means for associating the 
access right component with the object includes means for storing a unique identifier of 
the object within a field of a control access data structure created by the defining 
means. 

101 . (New) The computer program of claim 97, wherein the means for associating the 
access right component with the user includes: 

means for adding the access control entry (ACE) to an access control list (ACL) 
that corresponds to the object; 

means for storing a unique identifier of a control access data structure within a 
first field of the ACE; and 

means for storing a unique identifier of the user within a second field of the ACE. 

102. (New) A method comprising: 

creating an access control entry as a component of an access control list that is 
associated with at least one object in a computing environment, the access control entry 
identifying a security principal; 

defining an extensible access right component that defines access to one or 
more operations of the at least one object; 

associating the extensible access right component with the access control entry 
such that the security principal is authorized to access the one or more operations of the 
at least one object. 



103. (New) A method as recited in claim 102, wherein defining includes creating the 
extensible access right component as a component of the access control entry. 

104. (New) A method as recited in claim 102, wherein defining the extensible access 
right component includes defining access to a property of the at least one object. 

105. (New) A method as recited in claim 102, wherein defining the extensible access 
right component includes defining access to a method exposed by the at least one 
object. 

106. (New) A method as recited in claim 102, wherein defining the extensible access 
right component includes defining access to a property of the at least one object, and 
wherein associating includes associating the extensible access right component with 
the security principal such that the security principal is authorized to access the property 
of the at least one object. 

107. (New) A method as recited in claim 102, wherein defining the extensible access 
right component includes defining access to a method exposed by the at least one 
object, and wherein associating includes associating the extensible access right 
component with the security principal such that the security principal is authorized to 
initiate the method. 



108. (New) A method as recited in claim 102, wherein defining includes an application 
executing in the computing environment defining the extensible access right 
component. 

109. (New) A method as recited in claim 102, wherein defining includes an application 
executing in the computing environment defining the extensible access right component 
as a component of the access control entry, 

110. (New) A method as recited in claim 102, wherein defining includes creating a 
control access data structure, and wherein associating includes maintaining a unique 
identifier of the at least one object with the control access data structure. 

111. (New) A method as recited in claim 102, wherein associating includes the access 
control entry maintaining a unique identifier of the extensible access right component. 

112. (New) A method as recited in claim 102, wherein associating includes the access 
control entry maintaining a unique identifier of a control access data structure that 
represents the extensible access right component. 

113. (New) One or more computer-readable media comprising computer executable 
instructions that, when executed, direct a computing system to perform the method of 
claim 102. 



114. (New) One or more computer-readable media maintaining an extensible control 
access right comprising: 

a control access data structure that includes: 

an identification field to maintain a unique identifier of the control access data 
structure; 

an object identification field to maintain a unique identifier of an object within a 
computing environment, the object identification field configured to associate the control 
access data structure with the object; and 

wherein the control access data structure defines access by an authorized 
security principal to one or more operations of the object. 



115. (New) One or more computer-readable media as recited in claim 1 14, wherein 
the control access data structure further includes at least one other object identification 
field to maintain a second unique identifier of at least one other object within the 
computing environment, the one other object identification field configured to associate 
the control access data structure with the one other object. 



116. (New) One or more computer-readable media as recited in claim 114, the 
extensible control access right further comprising an access control entry that is 
associated with the object, the access control entry configured to maintain the unique 
identifier of the control access data structure to associate the control access data 
structure with the object. 
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117. (New) One or more computer-readable media as recited in claim 1 14, the 
extensible control access right further comprising an access control entry that is 
associated with the object, the access control entry configured to: 

associate the control access data structure with the object; and 
associate the authorized security principal with the object and with the control 
access data structure. 



118. (New) One or more computer-readable media as recited in claim 114, the 
extensible control access right further comprising an access control entry that is 
associated with the object, the access control entry configured to maintain: 

a unique identifier of the control access data structure to associate the control 
access data structure with the object; and 

a unique identifier of the authorized security principal to associate the authorized 
security principal with the object and with the control access data structure. 
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1 1 9. (New) A computing system comprising: 

an operating system to manage one or more objects within the computing 
system, an individual object having an access control list of predefined operating 
system permissions to perform corresponding operations on the individual object; 

an access control entry to identify a security principal, the access control entry 
associated with the individual object as a component of the access control list; 

an extensible access right to define access to one or more operations of the 
individual object, the extensible access right associated with the access control entry 
such that the security principal is authorized to access the one or more operations of the 



individual object. 

120. (New) A computing system as recited in claim 119, further comprising an 
application to generate a control access data structure that defines the extensible 
access right. 

121 . (New) A computing system as recited in claim 119, further comprising a control 
access data structure that defines the extensible access right, the control access data 
structure configured to maintain a unique identifier of the individual object. 

122. (New) A computing system as recited in claim 119, further comprising a control 
access data structure that defines the extensible access right, the control access data 
structure configured to maintain a unique identifier of the individual object, and wherein 
the access control entry is configured to maintain a unique identifier of the control 
access data structure to associate the control access data structure with the individual 
object and with the security principal. 

123. (New) A computing system as recited in claim 1 19, wherein the access control 
entry is configured to maintain a unique identifier of the security principal to associate 
the security principal with the individual object. 

124. (New) A computing system as recited in claim 119, wherein the extensible 
access right further defines access to a property of the individual object. 
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125. (New) A computing system as recited in claim 119, wherein the extensible 
access right further defines access to a method exposed by the individual object. 

126. (New) A computing system as recited in claim 119, wherein the extensible 
access right further defines access to a property of the individual object, the extensible 
access right associated with the access control entry such that the security principal is 
authorized to access the property of the individual object. 

127. (New) A computing system as recited in claim 119, wherein the extensible 
access right further defines access to a method exposed by the individual object, the 
extensible access right associated with the access control entry such that the security 
principal is authorized to initiate the method. 

128. (New) A computing system as recited in claim 119, further comprising a control 
access data structure that defines the extensible access right, and wherein the 
extensible access right can be redefined with a change of values maintained by the 
control access data structure. 

129. (New) A computing system as recited in claim 119, further comprising a control 
access data structure that defines the extensible access right, and wherein the 
extensible access right can be redefined without a change to the access control entry. 
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